Free Malware Removal Forum

Welcome to MalwareRemoval.com,What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

One outstanding O3 entry to fix, once that is done your HijackThis is showing a clean log BUT we still need to get rid of hidden malware. We will start with that entry and then move on to update the hidden stuff.

With all other windows closed, start your HijackThis and click on Scan

Click in the check-box to the left of each of the following entries, if found

Select the Download Latest Version link (top of green column) and save to your desktop

Right-click the ccsetup127.exe file on your desktop and select Open

Follow the on-screen instructions through to the Install Options page. I suggest you only retain the following 2 options

Add Desktop Shortcut

Automatically check for updates etcâ€¦

Click InstallTo setup CCleaner

Click on the CCleaner icon on your desktop.

From the menu on the left select Options

Now select Advanced. On the right remove the check against Only delete files in Windows Temp folders older than 48 hours.

Select Cookies. When CCleaner is run it will remove all of the cookies in the left window; if there are cookies that you wish to retain then select them and transfer them to the right window. Multiple selections can be made by holding down the Ctrl key before selecting.

Select Cleaner from the left menu and the Windows tab

Under Internet Explorer place ticks in all but the last box

Under Windows Explorer tick the last two only

Under System tick all boxes

There is no need to tick anything under Advanced

From the menu on the left click on Analyze

When the analysis is complete, click on Run Cleaner and OK at the next screen.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Ewido quarantined those files, therefore, I cannot access them with Windows Explorer. Do you want me to remove them from the quarantine section?
How do I obtain the uninstall list?
Here's the Ewido report:

I want to talk you through a manual deletion in the registry â€“ It is IMPERATIVE that you take this in THE EXACT ORDER that it is written, otherwise you could do irreparable damage to your computer for which I will take no responsibility. (Pommy coward! )

Click Start and select Run , in the new dialogue box please type Regedit

When the Registry Editor window opens click File from the menu bar and then select Export from the drop down menu

Choose a suitable name (I use SavedReg160806 where the figures are the date) and select desktop as the location. This is so that the registry can be restored to its current state if required.

Ensure that ALL is selected in the Export Range and then click Save

In the left of the 2 windows, if the list is in anyway expanded then press and hold the left arrow key until the only thing left is My Computer

Click the + sign to the left of My Computer to expand to the next phase.

Click the + signs next to HKEY_LOCAL_MACHINE and then SOFTWARE

Scroll down and expand Microsoft and then Shared Tools

Now expand MSConfig and then startupreg

In the list below startupreg I want you to locate the following 3 entries â€“ in turn. Right-click on each of them and from the choices select Delete. You will get a confirmation box appear asking whether you want to delete the key and all its subkeys please select Yes for each of the following keys

defender

Keyboard

newname

Once all three have been deleted, then collapse the left pane by using the left arrow again and close the Registry Editor

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

First we make sure that any files in a System Restore point can not re-infect your computer by removing all old system restore points.

Select the Start button and from the available options

Right-click the My Computer option and select Properties.

Click on the System Restore tab.

Check the box against Turn off System Restore on all drives. Click OK

Click Yes to confirm, then restart the computer

After the restart, re-enable System Restore by following steps a-c, but in step c, click to clear the Turn off System Restore on all drives. check box.

Restore your Hidden & System files to their normal state by

Select the Start button and from the available options

Right-click the My Computer option.

Select Explore from the drop-down menu

Select the Tools menu and click Folder Options. from the new window

Select the View Tab.

Under the Hidden files and folders heading remove the tick from Show hidden files and folders by clicking in the check-box to its left

Replace the check against Hide protected operating system files (recommended) option, again by clicking the check-box to its left.

Click Yes to confirm.

Click OK.

Give it a week or two of trouble free computing and then you can safely delete the Killbox and Avenger folders and their contents as they are specific use tools, you can also remove HijackThis from your system as it may well be out-of-date if you have further problems.

Preventative measures

Firstly Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.

Click once on the Security tab

Click once on the Internet icon so it becomes highlighted.

Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Please retain both the Spybot and AdAware programmes and run them at regular intervals after updating them. You might note that Spybot is now at version 1.4.

In addition I would suggest that you install the following 3 free programs, keep these updated as they are background tools

IE-SpyAd puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. A tutorial is available here

Windows Updates â€“ Please bring your Windows and Internet Explorer up-to-date with Service Pack 2 now that you are clean. It is very important to ensure that Internet Explorer and Windows are kept up to date with the latest critical security patches from Microsoft. Click on the Start button and select Windows Update, follow the online instructions from there.

On a similar vein do ensure that all of your Anti-Virus and Anti-Malware software are also kept up to date.

To find out more information about how you got infected in the first place and some excellent guide lines to follow to prevent future infections you can read this article by Tony Klein and this one by Lawrence Abrams

Should you wish to register a complaint about your problems then your main infection was by Vundo. Please go to this site, locate your country and register your complaint -

Best wishes, safe surfing and a happy marriage in the not so distant future.
GT

I need to thank you and your tutor for all the help, patience & commitment put into solving my problem. I really appreciate it. ^__^ I would've given up long ago and formatted but then I found malware removal and there are great people around here who are dedicated to helping others solve problems, and you're one of them. I thank you once again. ^__^

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.

Who is online

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.